A large family of quantum weak coin-flipping protocols 
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Each classical public-coin protocol for coin flipping is naturally associated with a quantum protocol 
for weak coin flipping. The quantum protocol is obtained by replacing classical randomness with 
quantum entanglement and by adding a cheat detection test in the last round that verifies the 
integrity of this entanglement. The set of such protocols defines a family which contains the protocol 
with bias 0.f92 previously found by the author, as well as protocols with bias as low as f /6 described 
herein. The family is analyzed by identifying a set of optimal protocols for every number of messages. 
In the end, tight lower bounds for the bias are obtained which prove that 1/6 is optimal for all 
protocols within the family. 

PACS numbers: 03.67.Hk 



I. INTRODUCTION 

Quantum weak coin flipping is a two party quantum 
protocol for agreeing on a random classical bit, where 
Alice wants outcome zero and Bob wants outcome one. 
Its main constraint is that a cheating player should not 
be able to bias the coin in their favor by more than some 
parameter e. 

Previous work by the same author [l| has shown that 
there exists a quantum weak coin-flipping protocol with 
bias e = 0.192, that is, such that neither player can win 
by cheating with a probability greater than 0.692. The 
protocol with bias 0.192 was a generalization of the one 
by Spekkens and Rudolph which achieved a bias of 
1/V2 - 1/2 ~ 0.207. Both belong to a large family of 
quantum weak coin-flipping protocols that are based on 
a set of classical games involving public coins. 

The purpose of this paper is to study this large fam- 
ily of protocols for quantum weak coin flipping. In par- 
ticular, we will prove that the optimal protocol in this 
family has a bias of 1/6, though such a bias can only be 
reached in the limit of arbitrarily large messages. Be- 
cause our lower bound analysis is constructive, we shall 
give explicit descriptions of protocols with biases that are 
arbitrarily close to 1/6. 

The protocols with bias of 1/V2— 1/2 was originally 
described in Ref. as part of a different family of pro- 
tocols for quantum weak coin flipping, all of which in- 
volved three messages. Lower bounds for this family 
were obtained by Ambainis which proved that the 
e = 1/V2 — 1/2 protocol was optimal within the family. 
Though our family does not contain every protocol in the 
Spekkens and Rudolph family, it does contain its optimal 
protocol. 

The best lower bound currently known that applies to 
all weak coin-flipping protocols is by Ambainis jj| and 
states that the number of messages must grow at least 
as ri(loglog -). Ambainis' result rules out attaining an 
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arbitrarily small bias with a fixed number of messages, 
thus the importance of looking at protocols with arbi- 
trarily large number of messages. We believe that our 
result is the first of its kind in lower bounding the bias of 
a large family of protocols that includes instances with 
every number of messages. 

Other important work related to quan tum weak coin 
flipping includes Refs. [H, El E3- TU3| among others. 
Also related are the results on quantum strong coin flip- 
ping (a variant where ideally neither player should be 
allowed to bias the coin in cither direction). The best 
known protocol for strong coin flipping has a bias of 1/4 
0, Q whereas Kitaev has proven a lower bound of 
1/V2 — 1/2 for the optimal bias. 

Before proceeding we shall give a working definition 
of quantum weak coin nipping as a quantum communi- 
cation protocol where two parties (Alice and Bob) start 
off unentangled and then exchange a series of sequential 
quantum messages after which they must each output a 
single classical bit. Their outputs are required to satisfy 
the following constraints 

• If Alice and Bob both follow the protocol their out- 
puts must always agree. Furthermore, the prob- 
ability that Alice wins (i.e., both parties output 
zero) is given by Pa whereas the probability that 
Bob wins (i.e., both parties output one) is given by 
P B = l-P A . 

• If Alice is honest (i.e., follows the protocol), then 
independent of Bob's actions, Alice will not output 
one with a probability greater than P B . 

• Similarly, if Bob is honest and Alice is dishonest, 
Bob will not output zero with a probability greater 
than P%. 

The only security assumption for the above protocol is 
that a cheating player cannot directly affect the qubits in 
their opponent's laboratory; that is, we desire protocols 
with information-theoretic security. 

The parameters Pa , Pa an d -Pjj wm be used to describe 
a coin-flipping protocol. Obviously, we'd like to make P* A 
and P B as small as possible. For simplicity, the merit of 
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a coin-flipping protocol is often quoted by specifying the 
bias e = max(P^, P*) - 1/2. 

Note that whereas the usual definition of coin flipping 
requires Pa = Pb = 1/2, we will allow in this paper any 
value of Pa € [0, 1]. This will allow us to derive a set of 
tradeoff curves for versus Pg . 

The rest of the paper is organized as follows: Sec. [D] 
describes some of our notation concerning tree variables, 
and will introduce the theorem relating classical coin 
games to quantum protocols for weak coin flipping. The 
theorem, which is a generalization of the work in Ref. , 
is proven in Appendix^ Though the full description of 
the quantum protocol is only given in the appendix, a 
brief description is presented at the end of Sec.lTTl 

The main new results of the paper are presented in 
the two subsequent sections: the proof of lower bounds 
for the bias in Sec. IHII and the description of matching 
protocols in Sec. IIVI 

We also include in Appendix an analytic derivation 
of the bias e = 0.192 of Ref. |l| which was originally found 
using numerical techniques. Though the result itself has 
been superseded by the protocols with bias 1/6, we in- 
clude the derivation because it uses a fairly different set 
of techniques that could potentially be useful elsewhere. 



II. NOTATION 

Throughout this paper we shall make ample use of bi- 
nary trees. All trees henceforth will be composed exclu- 
sively of binary nodes and leaves, and the leaves will all 
be located at the same depth. 

The nodes of a tree will be labeled by binary strings 
so that the leftmost node at depth k gets labeled by k 
zeroes, and the rest will equal one plus the binary value 
of the node to their left (keeping the number of digits 
constant). The root node will be denoted by the letter 
r, which will behave as the empty string so that x — r 
implies xO — and xl = 1. With these conventions the 
left descendant of node x is xO and the right descendant 
is xl. We define |x| as the length of the binary string x, 
which also corresponds to the depth of node x. 

In this paper we shall use calligraphic fonts, such as 
G, to denote an assignment of a number or expression 
to each node of a binary tree. Given an assignment G, 
the value of node x will be Q x . Most of our notation 
is summarized by Fig. 2] Note that, though we shall 
always be working with trees of fixed finite depth, we 
shall usually leave the depth implicit. 

We define an n-Coin-Game as an assignment Q to a 
depth n binary tree such that Q x £ [0, 1] for all x and 
Q x £ {0, 1} for all leaves (i.e., for all x such that \x\ = n). 
To each n-Coin-Game, G, we can associate a classical 
n- message public-coin coin-flipping protocol as follows: 
The state of the protocol at each step will be described 
by a node in the tree, and this information will be kept by 
both Alice and Bob. The game begins at the root node 
and proceeds downward until reaching a leaf node. If the 
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FIG. 1: A depth 3 binary tree. 



current node x is a binary node of even depth, then Alice 
chooses which path to follow and announces the choice 
to Bob. This is done probabilistically, by announcing 
the outcome of a public coin with bias Q x , so that Alice 
chooses the left path with probability Q x and the right 
path with probability 1—Q X . The same mechanism occurs 
at odd binary nodes, except that Bob is responsible for 
choosing the direction and announcing it to Alice. The 
game ends when arriving at a leaf node x, in which case 
Alice wins if Q x — and Bob wins if Q x = 1. 

Note that we do not require that the coin-flip be fair 
when both Alice and Bob are honest. Given an n-Coin- 
Game G, we can define TC on a tree of the same depth by 
the equations: 



7~Lx 




if \x\ = n, 
(1 - Gx)Tixi if \x\ < n. 



(1) 



The value of H x indicates the conditional probability that 
Bob would win given that the game arrived at node x, 
assuming both players play honestly. The value of TL r is 
Bob's probability of winning for an honest game, which 
is clearly bounded between and 1. 

For each n-Coin-Game G, we also define A and B on a 
tree of the same depth by the equations: 



A,, 



B x = I 



l-G x 

GxAl + (1 - Gx)A 2 xl 
GxVAxo + (1 - G x )VA x i 

'Gx 

GxVBxo + (1 — G X )\JB X \ 
GxB 2 xQ + (1 - Gx)Bl x 



for |x| = n, 

\x\ even, |x| < n, 

\x\ odd, \x\ < n, 

for \x\ = n, 

\x\ even, \x\ < n, 

\x\ odd, \x\ < n. 



(2) 



The importance of these quantities is given by the fol- 
lowing theorem: 

Theorem 1. For each n-Coin-Game, G , there exists an 
(n+1) -message quantum weak coin-flipping protocol such 
that 



PaPI 
PbP% 



B 2 



(3) 
(4) 
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and the honest probabilities of winning are 

P A = (l-P B ) = (l-H r ), (5) 

where A, B andJi are defined in terms ofQ by Eqs. 



The quantum protocol 

In this section we shall give a brief approximate de- 
scription of the quantum protocol, which should provide 
the needed intuition. The full description of the protocol 
is contained in Appendix El along with the proof of the 
above theorem. A simpler version of the protocol also 
appears in Ref. 

The basic idea is to take the classical public-coin pro- 
tocol associated with an n-Coin-Game, Q, replace the 
classical randomness with quantum entanglement, and 
then add a cheat detection step. 

Classical shared randomness can be replaced by quan- 
tum entanglement using states of the form 

vG|o)®|o) + </L=a|i)®|i), (6) 

where one qubit belongs to Alice and one to Bob. The 
randomness can be extracted at any time by measuring 
both qubits in the computational basis. 

In the classical protocol associated with Q described 
above, Alice and Bob slowly built up a shared random 
string. After the first k messages they shared a random k- 
bit string, where string x has probability V x (the formal 
definition of V is given in Eq. IjAlOl) ). The quantum 
protocol is constructed so that, after k messages, Alice 
and Bob share the state 

m = Yl V^\ x )® i*>- (7) 

X 

\x\=k 

In the classical protocol, the sender of the message (Alice 
for odd messages and Bob for even messages) has control 
over its content and hence the ability to cheat at that 
step, whereas the other player has no control over the 
given step. In the quantum protocol the same structure 
is maintained. The basic step to go from a fc-bit string to 
a k + 1-bit string is for the message sender to append two 
qubits in the zero state, then apply a controlled unitary 
on the two qubits with the other k bits as control, and 
finally to send one of the qubits to the other player: 

|V>fc> — » |V>*><8|00) (8) 

— » VK\x) A ®\x) B 

\x\=k 

®(v / ^|00) + v / l-^|H)) 
— y Y Y VT^i\xi} A (g>\xi) B ^\4' k+1 ). 



After n messages, at the end of the classical protocol, 
Alice and Bob share an n-bit string, which determines 
the coin outcome based on the value of the corresponding 
leaf of Q . In the quantum protocol, they do the equiv- 
alent measurement, but using a two outcome POVM so 
that most of the entanglement is preserved after the mea- 
surement. This allows a cheat detection step to be ap- 
pended to the end of the protocol as follows: the winner 
of the coin-flip based on the POVM must send over all 
of their qubits to the other player for inspection. The 
other player will end up with a pure state and can do 
a projection onto the final state and its complement. If 
the latter result is obtained, then cheating is detected 
and the losing player can declare victory, otherwise that 
player acknowledges defeat. In either case, the first player 
always declares victory. 

Note that, though it is possible for both players to 
declare victory at the same time, this can only occur if 
one of them was cheating, and in such cases we always 
expect the cheating player to declare victory anyway. 

The rest of this paper contains the analysis of the fam- 
ily of protocols, which will identify the protocol with bias 
of 1 /6 and prove that it is optimal within the family. 

III. LOWER BOUNDS ON THE BIAS 

In this section we shall derive lower bounds for the set 
of P A and P B that can be achieved with quantum proto- 
cols based on n-Coin-Games as defined in Theorem ^ 

Definition 2. For n E Z + , define the set A n C IR 2 so 
that (A, B) S A„ if and only if there exists an n- Coin- 
Game, Q , with A = A r and B = B r and A and B defined 
in terms of Q by Eq. 0). 

For each (A,B) G A„ there exists an (n + l)-message 
quantum coin-flipping protocol such that PaP*a = ^ 
and P B P B = B 2 . Furthermore, if (P A P A : \/ p bP b ) £ 
A n then there is no protocol built out of a n-Coin- 
Game that achieves Pa, Pa an d P B - However, it is 
not true that (PaPa: \JPbPb) e implies the exis- 
tence of a protocol with those parameters. For example, 
(0.3531, V0.3531) G A2 because there exists a 3-message 
protocol with P A ^ 0.515, P* A ~ 0.686, P* B ~ 0.728, how- 
ever there are no 3-message protocols with Pa = Pb = 
1/2 and P% = P B ~ 2* 0.353 = 0.706. The optimal sym- 
metric 3-message protocol is the one by Spekkens and 
Rudolph with P* A = P* B = 1/V2 = 0.707. Though it 
would be preferable to study the set of achievable triplets 
{A r , B r ,H r ), the sets A„ are easier to analyze and in the 
limit n — > 00 will provide us with interesting bounds. 

We begin the study of the sets A„ by showing that 
they can be obtained inductively: 

Lemma 3. The set A„ is the convex combination of pairs 
of points from the set {{B 2 , y/A) \ (A, B) e A n _i}. 

Proof. Given an n-Coin-Game, Q, define the variable 7 = 
Q r G [0, 1] and the two (n - l)-Coin-Games QW> and 
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FIG. 2: The curve (t 2 ,y r T^t) for t G [0, 1]. The convex hull 
of the curve is the region A2, with the dashed line serving as 
lower boundary. 



by 




for |x| = n — 1, 
for \x\ < n — 1, 



(9) 



for i — 0,1. There is a natural isomorphism between Q 
and the triplet 7,£ (0) ,£ (1) . 

Furthermore define A^' and fiW in terms of in 
the usual way. Note that A^ and # w are not the left 
and right branches of A and B defined from Q but rather 



J$ = g ix an d gw = _4 m _ Therefore 



M _ 



7 (b(»') 2 + (i- 7 )(sw) 2 , (10) 



B r = 7V / ^ 0) + ( 1 -7)V^ 



(11) 
□ 



The set Ai is fairly simple and corresponds to the con- 
vex combinations of the two points (1, 0) and (0, 1), which 
could be thought of as comprising A . Using Ai and the 
above lemma we can prove two simple properties of the 
sets A n : 

1. (0, 1) G A„ and (1,0) G A„ for all n. 

2. A„ C [0, 1] x [0, 1] for all n. 

Both properties are clearly true for Ai. By induction 
(0,1) G A n _i and (1,0) G A n _! implies that (l 2 ,^) and 
(0 2 ,\/T) are in A„. Similarly, if (A,B) G A„_i implies 
A G [0,1] and B G [0,1], then {B 2 ,y/J) G [0,1] x [0,1] 
and so are convex combinations of such points. 

The first non-trivial set is A2 which is the convex 
combination of the points on the curve (i 2 , \J\ — t) for 
t G [0, 1]. The curve is plotted in Fig. El The dotted line 
marks the lower boundary of its convex hull which can 
be achieved using convex combinations of two points (the 
rest of the lower boundary of the convex hull is simply 
the curve itself). 



Rather than keeping track of the sets A n , it will be 
simpler to study exclusively their lower boundary, which 
will be curves connecting the points (1,0) and (0, 1). All 
the optimal protocols will live on these curves, and all 
points below the curves will be unattainable. To formal- 
ize the notion of lower boundary we associate to every 
function f(z) : [0, 1] — > [0, 1] the following sets: 

/+ = {(z,w)\ze [0,1], /(z) <w< 1}, (12) 
/= = {(z,w)\ze [0,1], /(*) = «>}, (13) 
/- = {(z,w)\ze [0, 1], f(z) >w>0}. (14) 

Returning to the case of A2 and Fig. [3 we see that 
the lower boundary follows the original curve yl — \fz 
between (1, 0) and some point which we shall call (0.2, fa). 
It then turns into a straight line connecting the point 
(0:2, fa) to the point (0,1). The point {a^,fa) can be 
found by calculating the slope of the line connecting each 
point to (0,1) and choosing the point that achieves the 
maximum. 

In fact, all of the lower boundaries will have this form. 
Define for n > 1 




\J~Z for z G [0, On], 
for z G [a n ,l], 



3(n+l) : 



fa = 



■in 



(15) 



(16) 



For the case n = 1 we define fi(z) = 1 — z, which is the 
limit of /„ as n — > 1. Because a n G (0, 1) and fa G (0, 1) 
for all n > 1, the functions satisfy f n (z) G [0,1] for all 
z G [0, 1]. These functions are also the lower boundaries 
of convex regions: 

Lemma 4. For all n > 1, the function f n is strictly 
decreasing, and the region U /+ is convex. 

Proof. The case of n = 1 is trivial. For n > 1 we have 



gn 
1 — Qn 



for z G [0, a n ], 
for z G [otn, 1], 



(17) 



which is well defined and negative on (0, 1]. For z near 
zero, f(z) ~ 1 — (1 — (3^)/(2y/a^)y/z, therefore f(z) is 
also strictly decreasing at z = 0. 

The derivative is also continuous on (0, 1] because at 
z = a n we have 



fa 



V3(n +1) 1 - Pl 



1 



a n 2y/n(n + 2) 4a„/3„ 



(18) 



Furthermore, in the region (0, a n ), the second derivative 
is 



fn( Z ) = fn(z) 



1 

2z 

f'niz) 



U(Z) 



(19) 



4z^T/ 2 (z) 



[2V^-3(1-/? 2 )V^] >0 
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where the inequality holds because 3(1-/3^) < 2. There- 
fore f' n (z) is monotonically increasing on (0,1], and the 
region above f n (z) in this interval is convex. The point 
(0, 1) can be included because the closure of a convex set 
is convex. □ 

We are now ready to prove the main lemma of this 
section. 

Lemma 5. For all n G Z + . A„ C and C A n . 

Proof. The statement is clearly true for n = 1 since 
Ai = /f\ We will prove the rest of the cases induc- 
tively. Assume the theorem holds for A„, which implies 
that (z,f n (z)) € A„ for all z. By Lemma we have 
that (f%(z),y/z) e A n+ i for all z 6 [0,1] and so are 
convex combinations of pairs of such points. The curve 
parametrized by {f 2 (z), yfz) can also be described by the 
points (w,g n (w)) for 



9n[w) 



\j^-( 1 rr)V^ for w e [0, (3, 



n ] * 



fziH 1 - w ) 



(20) 



for we [/3 2 ,i] 



Note how under the map (x,y) — > (y 2 , y^) the straight 
line turns into a curve, and the curve turns into a straight 
line. Furthermore, because of the exchange of x and y, 
the straight line ends up on the right-hand side. 

The pattern of points a n and f3 n , in addition to guaran- 
teeing that the region above f n (z) is convex, also satisfies 
the recursion relation 



1 - a n _ 2y/n{n + 2) 



2 



n+1 



\/3(r 



1) 



(21) 



and therefore g n {z) = /„ + i(z) in the region [0, a n+ J 
(since a n +i < 1/3 < /3, 2 ). Pictorially, the curve <7= is like 
the curve f^+ii except that the straight line intersects 
the curve somewhat to the right, and hence the region 
above is not convex. Its convex hull will give us the 
region above the curve f^+i- 

Thus far we have shown g^ C A n +i, as are convex 
combinations of pairs of points on the curve g^ ■ Because 
Sn = fn+i m the region [0, a n +{\ we know that this seg- 
ment of the curve is in A„+i. The rest of the curve f^+i is 
simply the convex combination of the points (a n +i, f3 n +i) 
and (1,0) both of which are in g=- We have therefore 
proven the second part of the lemma: f^+i C A ri+1 . 

We now intend to prove that g n (z) > f n +i(z) for all 
z 6 [0,1]. The statement is clearly true in the region 
[0, a n+ i] where both are equal. In the region [/3 2 , 1] it is 
also true because both functions are straight lines ending 
in (1, 0), and the starting point of the lines are g n ((3 2 ) = 
v^T and f n +i(P 2 ) = /3n+i(l - /3 2 )/(l - a„+i). The 
inequality f n +i(/3 2 ) > g n (f3 n ) can be proven by checking 
that lf n+ i((3 2 n )/g n ([3 2 n )} 2 - 1 = -4/[n 2 (n + 3)] < for 
n > 1. Finally, in the region [a„ + i,/3 2 ] the functions 
fn+i{z) and g n (z) start off at the same point, with the 
same derivative, but f'n+i(z) = in this region whereas 



g'n{z) initially is positive, and has only one zero in the 
region, which can be checked as in Eq. (|19fl . If the curve 
g n were to cross the curve f n +i at any point in this region, 
then it would have to end below it. However, we already 
argued that ff n (/3 2 ) > fn+i{(3 2 ) and therefore the curve 
g^ must lie above the curve f^+i m the middle region as 
well. 

So far we have shown that (g~ U #+) C (f^+i U fn+i)- 
By the induction assumption, A„ C / r 7 U /+ . Under the 
map (x,y) — > (y 2 ,y/x), the region f= U /+ maps into 
the region to the right of the curve g^, which also equals 
the region g= U because g n (z) is strictly decreasing, 
.9n(l) = 0, and g n {0) = 1- Finally, using Lemma [3] we 
know that A n +i is contained in the convex combination of 
points in g= {Jg+. Because (g=Ug+) C {fn+i^fn+i), and 



fn+i u /n+i is convex, we have A„ +1 C f n+1 U /, 



71+ 1" 



□ 



Combining the previous lemma with the definition of 
the sets A„, we have proven the following theorem: 

Theorem 6. Every (n + l)-message quantum weak coin- 
flipping protocol based on an n-Coin-Game satisfies 



PbP* b > fl(P A P* A ). 



(22) 



Additionally, we have the following corollary for the limit 
of n — > oo: 

Corollary 7. All quantum weak coin-flipping protocols 
based on an n-Coin-Game (for any n e Z + ' ) satisfy 



PaP*a < 77 



PbP* B < 77 



In particular, 



P B P* B > 1 - 2 



pap: > i 



^A>- (23) 



PrP 



max{P A P* A ,P B P*) > 



(25) 



max(Pl,P|)> 



for Pa = Pb = 



1 



Proof. The above results use the limit: 

foo{z) 



l-^V^ forze[0,i], 



(26) 



(27) 



□ 



i£(l-z) for ze [1,1], 
which has the symmetry b = /^(a) a = 

IV. OPTIMAL PROTOCOLS 



In this section we will describe protocols that match 
the lower bounds derived in the previous section. In a 
sense, most of the work has already been done since the 
proof of the previous section was constructive. What re- 
mains undone is to explicitly construct the n-Coin-Games 
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and to calculate from them Pa , P\ and P B (rather than 
only their products). 

From the discussion of the previous section we can see 
that the interesting (n + l)-Coin-Games live on the curve 
fn+v The points on the rounded part of the curve (the 
left segment) involve no convex combinations of points 
from n-Coin-Games and therefore are not new (i.e., they 
are protocols that can be described by a single n- Coin- 
Game with Alice's and Bob's role reversed). The inter- 
esting points at level n + 1 lie on the straight segment 
and are the combination of the points (a„+i, /3 n +i) an d 
(1,0). To understand this segment we need to describe 
the n-Coin-Games that produce points (/3„ +1 , ^Ja n+ i) 
and (0, 1). The second point corresponds to a tree that 
is fairly simple: it has the value 1 at every leaf and the 
rest of the nodes are irrelevant. The n-Coin-Games for 
(Pn+ii \J a n+i) is what we shall describe next. 



Lemma 8. For each n E Z 4 
such that 



th 



ere is an n 



B^ 



n+l 



n + 3 
3(n + l) : 



\fu~r, 



2(n+l) 

n+l 
2(n+2) 



3(n + 2) ' 
n even, 
n odd, 



-Coin- Game, 

(28) 
(29) 

(30) 



with A {n) , B {n) and H {n) defined in terms of by 
Eqs. fJlijjj . In particular, the associated quantum weak 
coin-flipping protocols have: 



P A (n) 



Pl(n) = 



i-n 



A. 



(n) 



(8< 



n+2 
2(n+l) 

n+3 
2(ri+2) 

2(n+3) 
3(n+2) 
2(n+2) 
3(n+l) 
2(n+l) 
3(n+2) 

2n 
3(n+l) 



n even, 

n odd, 

n even, 

n odd, 

n even, 

n odd. 



Proof. Define the parameters 



In 



(31) 



(32) 



(33) 



(34) 



which are the weights needed for the convex combina- 
tions. And let 



which leads to A r =2/3 and B 



7i) 
(i) 



gW = i, g?> = o, 



(i) _ 



n 



(i) 



1/3. 



rest of the Coin-Games arc defined inductively: 

y r — In, 



G (n) 



1 



gt~ l) 



(n) 



,(n-l) 



,(n-l) 



for 
for 



\x\ = n - 
\x\ < n - 



for = n — 1, 
for \x\ < n — 1. 



(35) 
The 

(36) 
(37) 

(38) 



74 



73 



1-2 
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1 
FIG. 3: A truncated tree equivalent to Q^ A \ 

The values of f° r M < n ~ 1 are actually irrelevant 

but were chosen so that Q x n ^ — 7n-|z| whenever < 
n—1, and therefore these protocols fit into the subfamily 
studied in Ref. 0. 

The reason for inverting the value of the leaves relates 
to our insistence that Alice always send the first mes- 
sage, which implies that the sender of the last message 
alternates as n is increased and correspondingly the as- 
signments of winning and losing for the coin outcome 
need to be flipped. 

In fact, the pattern of the leaves is fairly simple. It is 
chosen so that it depends on the parity of the location 
(from left to right) of the first 1 symbol in the string x. In 
the quantum protocol this translates into the first sender 
of a 1 qubit being the winner of the coin-flip (assuming 
they pass the cheat detection phase). 

In fact, the trees Q( n > would best be described by trun- 
cated trees of the form of Fig. [21 However, we shall con- 
tinue using trees with all leaves at the same depth in 
order to be consistent with the previous section. 

Returning to the proof of the lemma, it is easy to see 



that A\ 



(n) 



1 and B[ n J 



Hi™ =0 for all strings x. The 



left side of the tree satisfies A 



and «W = 1 - 
root nodes are 



n 



O-i) 



O) 

O.i' 



B 



(«-i) 



" 



A ( 



(n-l) 



for all strings x. Therefore the 



7n(^ ,l " 1} ) 2 +(l-7n)l, (39) 



B(«) = 7 „/4"- 1) 



= 7n ( i - m 



/(n-l) 



+ (1 - 7n ) 0, (40) 
+ (1 - 7 „) 0. (41) 



It is then straightforward to plug in the expressions as 
functions of n for all the above parameters and check that 
Eqs. (|28II30|I are always satisfied. □ 



Interestingly, the sequence of protocols is such that 
Pa and Pg do not change when n increases from an odd 
integer to an even one, whereas PjJ and P B do not change 
when n increases from an even integer to an odd one. We 
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offer no intuition for this property. Note, however, that 
for a given n, the associated protocol corresponds to a 
single point on the surface of optimal protocols in the 
3-dimensional space of triplets (Pa, Pa> Pb) * na t can be 
achieved with n + 1 quantum messages. 

For large n, the sequence of protocols converges to 
P A = P B = 1/2 and P* A = P* B = 2/3, yielding a protocol 
with bias of 1/6. It would also be desirable to show the 
existence of a sequence of protocols that converges to the 
same point but such that Pa = Pb = 1/2 for every pro- 
tocol in the sequence. This can be easily accomplished 
by choosing, for each n, the point along the curve 
that has H r = 1/2. In the Coin-Game language we need 
to modify the top coin Q r , and we therefore introduce a 
new sequence of Coin- Games Q'^ n ' defined as 



we find: 



y x = 



L/ (2 - 2H [ r 



(n-l) 



otherwise. 



(42) 



For simplicity, we will concentrate on the case when n is 
even so that: 



(«) 



1 («) 



(n) 



n + 1 
n + 2 
n + 1 

n + 2 
n+1 

n + 2 



1 



(„-i) 



A 



(1-74 B_1) ) 



(43) 
(44) 
(45) 



and the associated probabilities of winning by cheating 
are 



2X 



in) 



PX(n)' ■■ 
P B (n)> = 2(b;<*>) 



2 

3' 

2 (n + 1) 2 

3 n(n + 2)' 



(46) 
(47) 



That is, we have identified a nice sequence of quantum 
protocols with n + 1 messages (for n even) where Pa = 
Pb = 1/2 and P\ = 2/3 are all fixed and P B decreases 
from 3/4 to 2/3. Of course, the case n = 2 belongs to the 
family studied by Spekkens and Rudolph and satisfies 
P1P*b = 1/2. 

As discussed in the introduction to the previous sec- 
tion, the above protocols are optimal in the following 
sense: to decrease one of P\ or P B while keeping the 
number of messages fixed, we would have to increase 
the other parameter. However, the protocols are not 
optimal in the sense that they minimize the bias e = 
max(P^, P B ) — 1/2 for a fixed number of messages. Only 
in the limit of infinite messages is the bias of the above 
protocols optimal. 

Thus far, we have identified the point (1/3, a/1/3) S 
/= as a protocol with P A = 1/2 and P* A = P* B = 2/3. 
The other points on the curve can be found using 
the same trick of modifying the top coin Q r . That is, let 
Q'^ n ' be as above but with Q' r ^ — t, where t S [0, 1] is 
a parameter we can choose freely. In the limit of n — > 00 



A' r {oo) (t) 
B' r ioo \t) 

K (oo \t) 



t- + (l-t), 
1 

t-. 

2 



(48) 
(49) 
(50) 



The associated quantum weak coin-flipping parameters 
are 



Pa® 
Pl(t) 



2 3-2< 



3 2-t ' 
2 

-t. 

3 



(51) 
(52) 
(53) 



These protocols correspond to the right half of the curve 
/= (i.e., the points (zJM) for z € [1/3,1]). The 
other half of the curve can be obtained by symmetry be- 
tween Alice and Bob. In the Coin-Game formalism this 
symmetry arises by creating a new (n + l)-Coin-Game, 
Q' , out of given n-Coin-Game, G, by the rules Q' r = 1, 
S' 0x = Q[ x = Qx for \x\ < n and Q' 0x =Q' lx = \-Q x for 
\x\ = n. In the language of protocols, we are forcing Al- 
ice's first message to have no content, which is equivalent 
to allowing Bob to begin the game. 

The results can be best summarized by eliminating the 
variable t from Eqs. I|51H53|I . which proves this section's 
main theorem: 

Theorem 9. There exist quantum weak coin-flipping 
protocols that asymptotically approach the curve 



P1 + Pb- ~P\Pb = 1 



(54) 





3 


PI 




P*A < P*B, 


Pa = 


4 


when 


Pb = 


3 
4 


P*B 


when 


P*A > P*B- 



in the limit of large number of messages. The correspond- 
ing probabilities of winning when the game is played hon- 
estly are 



(55) 
(56) 



Implementing the optimal protocols 

Surprisingly, the optimal protocols identified above are 
significantly easier to describe and implement than a 
generic protocol associated with a random n-Coin-Gamc. 
Here we shall present a brief description of the simplified 
protocol associated with the Coin-Games from Eqs. Q42I - 
113. 

We begin by fixing a security parameter n, which will 
lead to an n+2 message quantum protocol. For simplicity 
we assume that n is even. 
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The first n messages of the quantum protocol each in- 
volve one player preparing a two qubit entangled state 
and sending one of the two qubits to the other player. 
The two qubit states can be written as 



V^7|oo) + v / T-^~|ii) 

for i = 1, . . . , n, where 




(57) 



(58) 



As usual Alice is in charge of sending the odd messages 
(and hence preparing the odd numbered states) whereas 
Bob sends the even numbered messages. 

At the end of the above procedure Alice and Bob 
should each have n qubits, which can be expressed in 
a basis of n-bit strings with the most significant bit cor- 
responding to the first qubit sent or received. They now 
each perform a two-outcome measurement which can be 
described as follows: let S be the set of all n-bit strings 
such that the first occurrence of the digit one, when the 
bits are examined from left to right, appears at an even 
location, again counting from left to right (i.e., for n = 4 
we have S = {0001,0100,0101,0110,0111}). The two 
outcome measurement is given by the POVM elements 



E 



Ei, 



E x 



Ei 

ICSES 



(59) 



As usual Alice wins on outcome zero and Bob wins on 
outcome one. Note that, in essence, the first person to 
send a qubit in the "one" state is the winner at this 
stage. However, the following cheat detection step will be 
powerful enough to dissuade against the obvious cheating 
strategy. 

Before outputting the final answer the party who won 
sends all their qubits over to the losing party who then 
does an extra cheat-detecting two-outcome measurement 
to verify that the 2n qubit state now in their possession 
is the correct one (i.e., they project onto the state and 
its complement). Unfortunately, this final step is likely 
to be very fairly difficult with current technology for any 
n > 2. 

In the end, the resulting protocol goes to a bias of 1/6 
as n is taken to infinity. For n — 4 Bob's probability of 
winning by cheating is P B = 0.694 whereas for n = 6 we 
get P B = 0.681. Furthermore, Alice's cheating is always 
restricted at P\ = 2/3. Protocols with more symmetry 
between Alice and Bob can also be described as above by 
changing the coefficients {cti}. 



V. CONCLUSIONS 

We have identified a large family of quantum protocols 
for weak coin flipping, that are based on classical public- 
coin games. The family contains protocols approaching 



the curve P 



A 



Pi 



1 r A r B 



1, which can be reached 



asymptotically in the limit of large number of messages. 
The most important of these protocols is symmetric be- 
tween Alice and Bob and achieves Pa = Pb = 1/2 and 
P A = p b = 2 A that is > it has a bias of 1/6. 

Furthermore, we have proven lower bounds for the 
bias achievable by protocols in this family. In particu- 
lar, max(P%,P B ) > 2/3 or equivalently e > 1/6. These 
lower bounds show that the protocols found above are 
optimal within their family. 

Our lower bounds also establish a strict hierarchy 
among coin-flipping protocols in our family with differ- 
ent number of messages. Admittedly, the hierarchy is 
of little practical interest since a small number of mes- 
sages suffices in all cases to construct protocols that are 
reasonably close to optimal. 

Though the question of optimal bias for a general quan- 
tum weak coin-flipping protocol remains open, we specu- 
late that it might be possible to show that every protocol 
is equivalent to one contained in the family analyzed in 
this paper. Future work will be needed to verify this 
conjecture. 
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APPENDIX A: THE PROTOCOL 

The purpose of this appendix is to describe the (n+1)- 
message quantum weak coin-flipping protocol associated 
to each n-Coin-Game. For each protocol we shall also 
derive matching upper and lower bounds on the amount 
that each party can cheat and thereby prove Theorem ^ 

All the general ideas needed in this section have ap- 
peared previously in Ref. [[J, though in a somewhat dif- 
ferent notation. The new elements of this appendix are: 

1. Ref. p) was restricted to n-Coin-Games where all 
the binary nodes at the same depth had the same 
value (i.e, Q x = Q x > if |a;| = \x'\ < n). These vari- 
ables were given the name dj so that Q x — a\ x \+x- 
In this section we lift the restriction and consider 
general n- Coin- Games. 

2. An upper bound on P^ and Pg was derived in 
Ref. |j| but was not proven optimal. In this sec- 
tion we shall derive a matching lower bound. 

Because most of the ideas here have been published 
elsewhere, we shall simply prove the necessary facts in 
this section without providing the intuition or motiva- 
tion behind the constructions. For a more pedagogical 
approach we refer the reader to Ref. Q . 



9 



We begin by fixing an n-Coin-Game Q, which will be 
used throughout this section. We also fix H, A and B 
as given by Eqs. il 112ft . Because optimal protocols with 
H r = and H r = 1 are easy to construct even classically, 
for what follows we shall assume that < Ti r < 1. 

To describe the quantum protocol associated with Q we 
employ the standard quantum communication model in- 
volving the Hilbert space decomposition Ha ® Hm <8> Hb, 
where Ha is Alice's private space, Hb is Bob's private 
space, and H M is the space used for passing messages. 
We further subdivide these spaces as follows: 



H A = H a 
Hb = Hb < 
Hm = H m 



3H„ 



- 1 H aC} 



(Al) 
(A2) 
(A3) 



The spaces H a and H\> each consists of n qubits and will 
be used to store a binary string x corresponding to a 
node in Q . The individual qubits comprising each space 
will be referred to as a\ through a n and b\ though b n 
respectively. The one-qubit space H m will be the primary 
means of communication between Alice and Bob, and will 
be referred to as qubit m. 

The rest of the spaces will only be used in the last pair 
of messages. The spaces H a i, Hy and H mn each involve 
n qubits whereas H ac and Hb c each contain one qubit. 

Before describing the protocol we need to define a set 
of unitaries on Ha ® Hm- We begin with the controlled 
rotations Ra.u defined for k = 1, . . . , n by 



R-A,k — 



where 



U(z) = 



X 

|a;|=fc-l 



o 

o VT - ~ 

\VT^~l 



\ X )« u ...,a^ 1 ® U (G*)a*,m, (A4) 







\fz -yl - z 







-y/T=z 





(A5) 



The subscripts on the operators and matrices indicate 
what qubits they act on, and Ra,u acts trivially on all 
qubits of Ha ® Hm not explicitly mentioned. For the 
case fc = 1 the operator is not a controlled rotation but 
rather a regular rotation using parameter Q r . 
We shall also need the controlled rotation 



Ra,e = l^L, 

X 

\x\ — n 



^ — Qx -Qx 
Qx l — Qx 



(A6) 

which is unitary because Q x € {0, 1} for |x| = n. The gate 
is simply a controlled-X applied to the qubit in space H aci 
where the control depends on a function of the qubits in 
H a . Note that Ra,e can also be defined as an operator 
acting purely on Ha rather than Ha <8> Hm- 

Finally, define Sa, fe for fc = 1, . . . , n to swap qubit a& 
with qubit m: 



S A ,k = SWAP (a fc ,m). 



(A7) 



We also need Ta,o which swaps H a with H mn conditioned 
on qubit ac being zero, and Ta,i which swaps the space 
H a ' with the space H nm conditioned on qubit ac being 
one: 



?Xo = |0><0| ac 
T A ,x = \l){l\ ac 



) SWAP {H a ,H mn ) - 
SWAP(H mn ,H a ,) 



|l)(l| oc ® J,(A8) 
|0)<0| oc ®J.(A9) 



The first one is used to send the qubits in H a when Alice 
wins, whereas the second one is used to receive Bob's 
qubits and put them in H a i when Alice loses. 

All the above operators act on Alice's Hilbert space. 
We can similarly define the operators RB,k, Rb,e, Sbm 
acting in the same way on Bob's qubits. The operator 
Tb,o however has to be defined to swap Hy with H mn 
conditioned on qubit be being zero, whereas Tg,i swaps 
H with H mn conditioned on qubit be being one. 

To characterize the final measurements it is useful to 
define the probability tree V by 



V x = 




if x = r, 
if x = yO, 
if x = j/l. 



(A10) 



That is, V x is the probability of reaching node x when the 
classical coin-flipping game associated with Q is played 
honestly. We can now define the two normalized states 



1 



AA 



<l~i r 



E 

X 

\x\—n 

S x =l 



V x \x) Ha <g> \x) H ,®\l) Ha 



IV' 



1 



B.O = 



E 

X 

\x\—n 
Sx=0 



VJx) 



\x)h„, ® \0) Hi . 



(All) 

The normalization is correct because H r is the proba- 
bility of arriving at a leaf x such that Q x — 1, whereas 
1 — TL r is the probability of arriving at a leaf with Q x = 0. 
We are now ready to describe the main protocol. 

Protocol 1. Given an n-Coin-Game, Q, and the asso- 
ciated operators described above, define a quantum weak 
coin-flipping protocol by the following steps: 

1. Setup: Alice starts with Ha <8 Hm and Bob with 
Hb- They each initialize their space to the state 
|0>. 

2. First n messages. For k = 1 to n: 

• If k is odd, Alice applies Ra,m ond sends Hm 
to Bob who applies SB,k- 

• If k is even, Bob applies Rb,r oxid sends Hm 
to Alice who applies SA,k- 

3. Alice applies Ra.e to Ha and Bob applies Rb,e to 
Hb ■ No messages are needed for this step. 
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4- If Bob has Hm he sends it to Alice. 

5. Alice applies Tao an d sends Hm to Bob who ap- 
plies Tb : o- 

6. Bob applies Tb,i and sends Hm to Alice who ap- 
plies Ta,i- 

7. Alice measures using the two outcome POVM {I — 
|^A,l)(^4,l|) Bob measures the two 
outcome POVAf' {\i> B 'o)(i>B,o\, I - \i>B,o)(i>B,o\}- 
They each output zero for the first outcome and one 
for the second. 

The basic intuition behind the protocol is that the 
first three steps above is a quantum implementation of 
the classical public-coin coin-flipping protocol associated 
with Q described in Sec. |n] After k messages the first k 
bits of Ha contain a length k string indicating the depth 
k node at which we are currently located. The quantum 
amplitude associated with each such state is y/V x - Step 
3 is a unitary realization of the measurement that looks 
at the n bit string x corresponding to a leaf, and stores 
the classical coin outcome in the qubit associated with 
H ac for Alice and H^ c for Bob. 

The rest of the steps involve cheat detection. Effec- 
tively, the winner declares victory immediately and then 
sends as much of their state as possible to the other party. 
The losing party then checks that the state is correct be- 
fore accepting defeat. 

Note that, as written, the above protocol takes either 
n + 2 or n + 3 messages. However, it is easy to see that 
the protocol can be run with only n + 1 messages. For 
starters, only the space H m needs to be sent back and 
forth in step 2, whereas only H mn is used in steps 5 and 
6. If we allow such a splitting, Alice starts with H mn 
and step 4 is never needed. This reduces the protocol to 
n + 2 messages always. But if n is odd then Alice ends 
up sending two messages in a row. The two messages can 
be combined into a single longer message and therefore 
the protocol only requires n + 1 messages. We will also 
argue below that steps 5 and 6 can be interchanged, in 
which case when n is even Bob sends two messages in a 
row, and their merger leads again to a protocol with only 
n + 1 messages. 

We turn to the task of describing the evolution of the 
game when both players are honest. The action of Ram 
entangles qubit au with qubit m, whereas Sbm swaps 
qubit m with b^. Their combined effect is the transfor- 
mation 

VK\x) au ..., ak ^ ® \°)a k ® |0> 6 , (A12) 
— V^l^,...,^ ® |0> Ofc ® \0) bh 



' ai ,...,a fc _i 



lb k - 



first k passes through step 2 is given by 
|^fe)=E \xO---0)„ a ®\0) Ha ,®H ac (A13) 

X 

\x\=k 

where there are n — k zeroes following each x. 

Step 3 simply has the effect of setting up the fair coin 
outcome in H ac and Hb c : 

llM = Yl ^ Wh. ® l°}jr , ® \Sx) Hae (A14) 

X 

\x\=n 

®\x) Hb ®\o) Hi ,®\g x ) Hbc ®\o) HM . 

Finally, when both players are honest, step 5 has the 
effect of moving H a to Hf conditioned on qubits ac and 
be both being one. Step 6 has the effect of swapping Hi, 
to H a i conditioned on ac and be being both zero. The 
final state of the protocol is therefore: 



(A15) 



\i> F ) = V^\x) Ha ® \x) Ha , ® l 1 )^ 



\x\— n 



®|0> ff6 ® \0) Bv ® l 1 )^ ® I0) fffl 

E Vv~A0)„ a ® |o) Ho< ® \o) Hac 



\x\— n 



'Six) 



5 \x) Hb , ® |0) Htc 
^l^i) ® |0) Hi> «H h , ®|!)^ 



+ ^Jl-H r \0) 

H a ®H a , ® l°)ff ac ® I^B.o) ® \Q)h m - 

Because 1^,1) is orthogonal to any state with the value 
zero in register H ac and \ipB,i) is orthogonal to any state 
with the value one in register Hb c , there are only two 
possible outcomes for the final measurements: 

• Alice obtains I — \?pA,i} (*Pa,i\ an d Bob obtains 
1^3,0) ("^-B.o | in which case they both output zero, 
that is, Alice wins. This happens with probability 

i-n r . 

• Alice obtains \1pA.1) (ipA,i\ an d Bob obtains / — 
|V'-B,o)(' ! / ; s,o| m which case they both output one, 
that is, Bob wins. This happens with probability 

H r . 

We have therefore proven the following lemma: 

Lemma 10. When playing Protocol 1 honestly, Alice's 
and Bob 's outputs are perfectly correlated and satisfy 



The same effect occurs on even rounds when Alice's and 
Bob's actions are reversed. Therefore, the state after the 



Pa = 1-H r , 



p b = n r . 



(A16) 
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1. Reformulation as an SDP 

We now turn to the analysis of the advantage that a 
cheating player can attain. Specifically, we shall focus 
on the case of honest Alice and cheating Bob. The case 
where Alice is cheating is fairly similar and will be derived 
at the end of the appendix from the case of cheating Bob. 

When Bob is cheating we don't know exactly what 
operations (unitaries, measurements, or superoperators) 
he may be applying to his qubits. In fact, we don't even 
know how many qubits he may have in his laboratory. We 
shall therefore focus only on the evolution of the qubits 
under Alice's control. This approach, first advocated by 
Kitaev |ll| . will transform the maximization over Bob's 
cheating strategies into a semidcfinite program (SDP). 

Let po be the initial state of all qubits under Alice's 
control, that is, it is a density operator on Ha <S> Hm- 
Let pi, .. . ,p n be the state of the qubits under Alice's 
control after each of the n passes through step 2. Note 
that pk is a density operator for Ha when k is odd, and 
for Ha <S> Hm when k is even. Finally let pe be the state 
of Ha ® Hm at the end of step 4 and let pp be the state 
of Ha ® Hm at the end of step 6. 

Because Alice initializes her own qubits as prescribed 
by the protocol without interference from Bob, their ini- 
tial state is given by 



Po = |0)(0| 



H A ®H M - 



(A17) 



For odd k, Alice first applies the unitary Ra,u and then 
sends Hm to Bob, leaving the state 



Pk 



Tr 



M 



RA,k Pk-lR 



A.k 



(for k odd). (A18) 



For even k, we can't fully characterize pk in terms of pk-i 
but we know that given pk, if we undo the swap Sa, k and 
then send back Hm we must end up with pk-i, therefore 



Tr 



M 



^A\Pk^A,k = Pk-i (for fc even). (A19) 



Step 3 only involved the use of Ra,e, a unitary on Ha- 
Step 4, the recovery of Hm , is only needed when n is odd. 
Therefore, 

Pe = Ra,e PnR~^E f° r n even, (A20) 

Tr M Pe = Ra.e PuR^e for n odd - ( A21 ) 

Finally, the state of the qubits on Ha after applying 
Ta,o to Pe must equal the state pp if we undo Ta,\ (be- 
cause as usual, Bob has no effect on Alice's qubits): 



Tr 



t aa PfTa,i 



= Tr 



T A ,op E Txl ■ (A22) 



The probability that Bob wins is given by the final 
measurement 



T^[\^a,i)(iPa,i\pf] , 



(A23) 



where it is understood that \ipA,i) | can be extended 
to an operator on Ha®Hm by tensoring with the identity 
hi- 

The preceding arguments show that no matter what 
cheating strategy Bob employs, the sequence of states 
for Alice's qubits must satisfy the above equations, and 
therefore P B is upper bounded by the maximum of 
Eq. I|A23I) over all assignments to the variables po, ■ ■ ■ , p n , 
Pe, Pf consistent with the above equations. It is also not 
hard to see that Bob can achieve any set of density ma- 
trices consistent with the above equations by maintain- 
ing the purification of Alice's state. As this reduction 
from maximization over cheating strategies to SDP has 
already appeared in the literature 0, Hi E3 we won't 
belabor the point and simply state the lemma we have 
proven: 

Lemma 11. The maximum probability with which Bob 
can win by cheating in Protocol 1 is given by the solution 
of the SDP: 



P B = max Tr [ 



■>A,i 



}(iPa,i\pf] 



(A24) 



over the positive semidefinite variables po, . . . , p n , pe, Pf 
subject to the constraints of Eqs. \A1\ 



The security of the above result depends solely on the 
laws of quantum mechanics and the assumption that Bob 
cannot directly influence the qubits in Alice's laboratory. 
We note that we are assuming, as is usual in coin-flipping 
protocols, that Alice can measure the size of the Hilbert 
space Hm (i-e-, the number of qubits sent by Bob in each 
message) and that if at any point she receives more or 
less than the required number of qubits she aborts the 
protocol and declares herself the winner. The optimal 
strategy for Bob involves sending the right number of 
qubits in each message and therefore is described by the 
above formalism. 

It will be important below to know that we can ex- 
change steps 5 and 6. This would work as follows: given 
Pe we send Hm to Bob, who is supposed to apply Tb,i 
to his qubits. Upon return, Alice applies Ta.i followed 
by Ta,o ending up with state p' F satisfying 



Tr 



M 



t a,! t a,o p'fTa,oT a ,i] = Tr A/ [p E ] . (A25) 



The final measurement can be done immediately before 
sending Hm to Bob because it only has support on Ha- 
The probability of Bob winning is 



Tr I 



>AA 



)^aAp' f \- 



(A26) 



However, only has support on the space where 

qubit ac is one, and in this subspace Ta,o acts trivially 
(and Ta,o and Ta.i commute). Applying projectors to 
both sides of the Eq. (|A22|) and Eq. I|A25|I we see that 
both SDPs are equivalent, and therefore steps 5 and 6 are 
interchangeable, at least from the perspective of honest 
Alice. 
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2. Lower Bounds 

To find a lower bound on P B we shall describe a spe- 
cific assignment of the variables p that satisfies the above 
equations, and from it calculate Tr Pf\- Be- 

cause P B is a maximum over such assignments, this will 
serve as a lower bound. 

Let 



Pk 



^®|0)(0|a fe+11 ...,a„®l°)< k,®H ac fc0dd 

® |0)(0| Ofe+l! ... !On ® |Q)(O| ffo , 0ffac8ffM fc even 

(A27) 

where a k is a density operator for qubits a\ through a k . 
The operators p\ through p n satisfy Eqs. (|A18IA19|) pro- 
vided that 



cr fe = Tr, ; 



RA,k C 



n-1 



(for k odd) 
(A28) 



where ao = 1 is the unit, and 

Tr Qfc [a k ] = cr fe _a (for fc even). (A29) 

The a operators above will be defined using a tree vari- 
able W given by the equation 

'1 x = r 



QyWy 

= < (1 - Qy)W y 

Q V BlWy/By 
{(l-g y )BlWy/By 



x = yO and |x| odd 
x = yl and \x\ odd 
x = yO and |x| even 
x = yl and |x| even 

n (A30) 

which is based on the weig ht matrix W of Ref. .1]. Note 
that, though it is possible for B y to be zero, this can only 
occur if both B y o and B v \ are zero as well, in this case 
we define W y o = W y i = 0, which resolves the potential 
division by zero. 

Because B is computed bottom-up, whereas W is com- 
puted top-down, every node of W depends on the com- 
plete n-Coin-Game assignment Q. The appearance at 
every node of such global information about the protocol 
is crucial for optimal solutions of these SDPs and will 
also occur with the tree variable Z defined below in the 
section on upper bounds. 

Define the a operators as diagonal matrices with en- 
tries given by 

(x\a k \x)=W x for|x| = fc. (A31) 

The requirements of Eq. i|A28|) are satisfied if 



WyO = GyW y and W yl = (l-g y )W y (for \y\ even), 

(A32) 

whereas Eq. (| A29I) only imposes the weaker requirement 



W y =W y0 + W yl (for \y\ odd), 



(A33) 



both of which are clearly satisfied by W. We have there- 
fore outlined a valid cheating strategy for Bob through 
step 2. 



The next two steps will follow the protocol exactly, in 
which case the operator pe follows from p n by adjusting 
the space H ac : 



PE = ^W X \x)(x\ Ha 

X 

®\o)(o\ Hm . 



H , ® \Qx){Gx\ Ha 



(A34) 



Finally, in the last steps, conditioned on qubit ac be- 
ing zero Alice sends her state to Bob. Conditioned on 
qubit ac being one, Bob returns the purification of the 
remaining qubits, so the final state is: 



p F = \<h){<h\H a &H„, ® W\h„ C 

+Co|o)(o| Hti0H ® |0)(0|^ 



h m (A35) 



where Co is an unimportant constant (equal to the sum 
of W x for all x such that Q x = 0), and \cj>\) is the unnor- 
malized state given by 



\4>x) = J2 V^\x) Ha ® \ x ) Ha r 



(A36) 



Bob's probability of winning is given by 



I Ho, 



VP. 



(A37) 



Qxl/WwVa 

X 

\x\— n 



/H r , 



where the factor of Q x ensures that the sum is only taken 
over strings x satisfying Q x = 1. 

While the expression for computing p seems rather 
daunting, we shall show in a moment that when prop- 
erly written, it is a conserved quantity that has the same 
value at every depth in the tree. We begin with the fol- 
lowing two observations: for \y\ even 



VByoVWyoVyO + VByly/W vl V yl 



= B y ^WyPy 

whereas for \y\ odd we have 



(A38) 



ByQ y/Wy0Vy + B yl ^WylVyl 



(G y B 2 y0 + (1 - G y )B 2 yl ) 



WyVy/By 



^^JWyVy- 



(A39) 



For the special case when B y = the equation is also 
valid as it reads + = 0. By induction, we can obtain 
the following result 

B r Jw7P r = l^>\*\=k B xVW x V x foranyevenfc, 
\l>2x-,\x\=k^®^^Wx'P x for any odd k, 

(A40) 
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where as usual < k < n 
\x\ = n we have Q x = B x = 

thatp= \BrVW r V r " 



In particular, because for 
fB~^ 6 {0, 1} we have shown 



/7i r , which is the probability with 
which Bob can win the coin-flip by cheating using the 
strategy outlined above. Since W r = V r = 1 we have 
proven the desired lower bound: 



Lemma 12. For Protocol 1: 

Bl 



Pr > 



(A41) 



3. Upper Bounds 

We shall prove an upper bound by exhibiting a solu- 
tion to the dual SDP. We use the derivation of the dual 
in Ref. |l2j |. though a direct derivation (as was done in 
Ref. 1]) would be fairly simple as well. 

O ur p rotocol can be rewritten in the notation of 
Ref. G3- Let m = [{n + 1)/2J and define U A ,i = R A ,i, 

UA,j = R A ,2j-l^A,2j-2 for j — 2,..., TO, f/^m+l = 

T A ,oR AtE S A , n (or if n is odd just U A , m +i = T Afi R A , E ) 
and C/ J 4,m+2 = T AA . The final measurement is 1 = 
\i ) A A )('4 ) A,i |- In this notation, we are looking for the max- 
imum of Trpyi.i pA,m+2\ over assignments of the positive 
semidcfinite variables p A ,o, ■ ■ ■ , p A , m +2 satisfying: 



Tr M [pA,j] = Tr 



Ua,j PA,j-l U 



(A42) 



for j = 1,...,to + 2 and Tr M \p A ,o] = \0)(0\ HjL . The 
initial condition for p A ^ (rather than the usual p A $ — 
|0)(0| H q H ) simply gives Bob a little more cheating 
power (i.e., to initialize Hm) but this is acceptable as we 
are now focusing on deriving upper bounds on P B and 
this extra cheating power will not be helpful. 

The dual SDP is given by Lemma 11 of Ref. 01 as the 
minimization of (0|Ya,o|0), subject to 



Ya 



> U A h+i (Ya 



<u A 



3+1 



(A43) 



for < j < m + 1, where Ya, . . . , Y m+ i are Hermitian 
operators on H A and Y A , m +2 = H^i. Because this is the 
dual SDP to the original coin-flipping SDP corresponding 
to Protocol 1, any assignment of the variables Y Aj i that 
satisfies the constraints will produce a value of (0|Va,o|0) 
that is an upper bound on P B . However, rather than 
finding a solution to the above dual SDP, we shall study 
a modified, but equivalent, SDP: 

Lemma 13. Let Zq, . . . , Z n+ 2 be a set of Hermitian ma- 
trices, defined on H A , satisfying the following equations: 



where < k < n, and 

Z n ®I HM > R A ^ E ( Z n+l®lH M )RAE, (A45) 
Z n+1 ®I HM > T A l{Z n+2 ®I HM )T Afi , (A46) 
Z n+2 <8 Ih m > TX\ {\^ A ,x){^ A ,x\ ® Ih m )T aa . (A47) 

then (3 = (0|Zo|0) is an upper bound on Pg. 

The proof follows by noting that given a set of 
Zq, . . . , Z n+ 2 satisfying the above equations, we can set 
Y Q = Z Q , Yj = Z 2 j-i for j = 1, . . . , to and Y m+1 = Z n+2 
to obtain a solution with the same minimum as the orig- 
inal dual SDP. 

We introduce a new variable, defined on a tree of depth 
n, which shall be used in constructing solutions of the 
dual SDP: 



B 2 r /H r 

IB X ZyjBy 



x = r 
\x\ odd 
I a; I even 



(A48) 



where y is the parent node of x (i.e., either x = yO or 
x = yl). Once again we resolve the division by zero by 
declaring Z v q = Z y \ — whenever B v = and \y\ is 
even. 

We begin the description of the solution to the dual 
SDP by choosing 



Z-n+2 — 



Z x \x)(x\ Ha ®I Ha ,®\l)(l\ Hac . (A49) 



X 

\x\—n 

To verify that Z n+2 satisfies Eq. \ A47|l . we note that 
we can move the unitary operators T A \ to the left hand 
side of the equation, where they act trivially (i.e., they 
exchange Ih , with We are left with the task of 

proving Z n+2 > |^a,i)(^,i|< 
It is sufficient to show that 



Z n+2 + eI HA > \ipA,i)(ipA,i\ 



(A50) 



for every e > 0. Because Z n+2 is non-negative, the left- 
hand-side above is positive definite. We can rescale our 
space by (Z n+2 +elH A )~ 1 / 2 to obtain the equivalent equa- 
tion 

I > (Zn+2 + eI HA )~^ 1^,1X^1 1 (Zn+2 + zIh A ) ^ ■ 

The right-hand-side of the above equation has only one 
non-zero eigenvalue, it is therefore sufficient to check that 



1 > {i>A,l\ (Z n +2 +elH A ) \lpA,l)- 

We need to study the quantity 



(A52) 



R Ak+i ( Z k+i ® lH M )R A ,k+i (k even), (Vu.ll ( Z n+2 + eI HA ) 1 = 



Z k Ih m > 

Zk ® Ih m > S A ^ k+1 (Z k+ i ® I HM )S A . k +i (k odd), 

(A44) 



E 

X 



v x 



(A53) 
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which once again is related to a conserved quantity at 
every level of the tree. However, we first note the fol- 
lowing properties which can be checked directly from the 
definitions: 

• V x > implies V y > for every node y that has x 
as a descendant. 

• V x > and B x > implies that B y > for every 
node y that has descendant. 

• Pa; > and B x > implies > 0. 

We can now remove e from the above expression, be- 
cause if Z x = then either V x — or B x — (which 
implies = 0): 



(■0a,i| (Z n+2 + tin A ) 1 IV'a.i) < 



E 



Qx^x 



(A54) 



where the factor Q x imposes the condition Q x = 1, and 
the condition iJ^ > has been moved into the sum. 
If \y\ is odd and Z y > we have 



y O£j/0 
'J/0 



_ ByVy 



(A55) 



where the left-hand side is well defined because Z v q = 
Z y i = Z y > 0. If \y\ is even we have 

ByQVyO 



By{P, 
Zyl 



Gy) 



ByVy 



E 2 V 

Oyl y 



(A56) 



Even if Z y > it is possible for either Z v q or Z y \ (or 
both) to be zero. If both are zero, then so is B y Vy. If 
only one of them is zero (say Z v q) then the equation 
is still valid with the offending term removed (that is, 
ByiPyi/ Z y i = ByVy / Z y ). Using induction, we can prove 



1 = B 2 r V r = I Ex;| K | = fe;Z x >0 fol ' ^ ^ k 

H - Z - lE,;|.| =fcA >o^ for any odd fc 

(A57) 

and in particular, because Q x — B x — B x for |x| = n we 

have shown (Z n +2 + elH A )~ \^A,i) < 1 for every 

e > 0, thus completing the proof that our choice for Z n+2 
satisfies the requirement imposed by Eq. (|A47I) . 

The next few requirements are easier to check. Since 
Z n+ 2 only has support on the space in which qubit ac is 
one, on which Ta,o acts trivially, we can satisfy Eq. (|A46(I 
by choosing 

^2 Z x \x){x\ Ha ®lH a , ® \Qx){Qx\ Hac 



\x\— n 
> Zn+2) 



(A58) 



where the inequality follows because we have simply in- 
cluded the (non-negative) coefficients for the states with 

Q X = Q. 

The unitary Ra,e operates only on the space Ha hence 
Eq. I|A45I) can be satisfied by choosing 



^2 Z x\x)(x\ Ha ® I Ha 

X 

\x\— n 



(A59) 



Finally, fix a new parameter e' > 0, and define 



Zk = ^2 ( Zx 

\x\=k 



)H a i<S>H ac 



+c k i ai ,..., ak ®(i-\o)(o\) Ha 



, an ®H a r®H ac ' 



for k — 0, . . . , n — 1. The constants Ck will be defined 
recursively below, starting with C n —\. For k — the 
above should be interpreted as 



Z = (Z r + e') 



+ C (/-|0)(0|)„ . (A61) 



In order to prove that our solution to the dual SDP 
is valid, all that remains is to check Eq. 1 A44|l . The 
case of k odd is fairly simple because Z y = Z y o = Z y \ 
for \y\ odd, therefore qubit a,k+i of Zk+i is unentangled 
with the rest of the qubits and its state is the identity 
density matrix (i.e., Zk+i = Ia k+1 ® Z' where Z' is an 
operator on the rest of the qubits). As the swap operator 
SU,fc+i acts trivially on Zk+i <S> Ih m j ^ is sufficient to 
check Zk > Zk+i, which is satisfied if Ck > Ck+i- For 
the special case of k = n — 1 (and n even) it suffices to 
choose C'k > max Z x where the maximum is taken over 
all strings x such that |jc| = n. 

What remains to be proven is Eq. (|A44ll for the case 
of even k. Fix some even value of k and let a = Zk <8> 
I Hm and f3 = R A ] k +i ( Z k+i ® Ih m ) R-A,k+\- There are 
just the left- and right-hand sides of the equation we are 
trying to prove: a > (3. Define the projector 



n = /„ 



Ha 



.®H'®H a 



(A62) 



We shall prove in a moment IT(a — /3)II = —II. It is 
also easy to see that ITa(/ — IT) = (I — n)o:li = and 
(I— n)a(J— II) = Cfc(7— n). Under these conditions, it is 
always possible to choose a large enough Ck so that a > 
(3, which defines Ck in terms of Ck+i (except for C„_i 
which can be defined directly from Z n ). For a proof, see 
for instance the proof of Lemma 3 in Ref . Q] . 

To prove n(a — /3)U — we need to study the effect 
of the unitary RA,k+i on Z n+1 . The expression has the 
form of a sum of |a;)(a;| ai afc tensored with 

UiG.y 1 [(z x0 \0)(0\ ak+i +Z xl \l)(l\ ak+i ) ®Z ro ] U{Q X ) 

(A63) 
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for |a;| = k, where U{z) is defined by Eq. (|A5|) - The 
component of the above that survives the projection II 
has the form 

{G x z x0 + (i - g x )z xl ) |o)(o| Qfc+i ® i m 

= (GxVBm + 0--Sx)VB^ g^|0)(Q| Qfe+1 ®i m 
= Z 2; |0)(0| Qfe+i ®/ m . (A64) 

It is now straightforward to check that nail = 11/311 + 
—II, completing the proof that our choice of Z^ satisfies 
Eq. ESJ). 

Note that, while the original protocol only depends on 
the first column of the matrix U(z), the above calcula- 
tion involved the entire matrix. The reason for this is 
that when transforming from the SDP involving the Y 
variables to the SDP involving the Z variables we gave 
Bob a small amount of extra cheating power to set the 
qubits in Hm between application of SA,k and R^k+it 
in which case the full matrix U(z) becomes important. 
However, since the upper bound derived in this section 
matches the lower bound from the last section, it should 
be clear that such extra power is not useful. 

The result thus far is the description of a set of vari- 
ables Zq, . . . , Z n+ 2 satisfying the equations of the dual 
SDP. This gives us an upper bound P* B < (3 = (0\Z \0) = 
Z r +e'. However, since e' > is arbitrary, we have proven 



Lemma 14. For Protocol 1: 

B 2 



(A65) 



4. Honest Bob v Cheating Alice 

The analysis of the case of honest Bob and cheating 
Alice is fairly similar to the above calculations. Fortu- 
nately, we can exploit certain symmetries in the protocol 
to derive expressions for from the above expressions 
forP* B . 

Given an n-Coin-Game Q define a new (n + ^-Coin- 
Game, Q' by the rules Q' r — 1, Q' 0x = Q[ x = Q x for 
|x| < n and G' 0x = Q' Xx = 1 - Q x for \x\ = n. We'd like 
to argue that the quantum protocol associated with Q' 
is equivalent to the protocol associated with Q but with 
Alice's and Bob's roles exchanged. 

The basic idea is that the first message of Q' , which 
Alice sends to Bob is the pure state |0). If Bob is cheat- 
ing this state reveals no extra information about Alice's 
state, and if Alice is cheating she has no incentive to re- 
veal herself as a cheater by sending anything other than 
the state |0). The subsequent messages in Q' correspond 
to those of Q but with Alice and Bob reversed. The only 
potential problem with this argument is that the order 
of the cheat detection messages (steps 5 and 6) needs to 
be switched in order to make the protocols equivalent. 
However, we argued after formulating the problem as an 



SDP that these two steps could be exchanged without 
increasing or decreasing P B . 

Therefore, Bob's maximum probability of winning by 
cheating in Q' , which we call P B ' and can be calculated 
using the above formulas, equals PjJ. But B' r = \fA~^ and 
H' r = 1 — H r , where the primed variables are calculated 
from Q' . The conclusion is that 



Pt>' 



B? 
HI 



1-Hr 



(A66) 



In particular we have proven the main result of this 
appendix, which is equivalent to Theorem ^ 

Theorem 15. The quantum weak coin-flipping protocol 
associated to an n- Coin-Game Q by Protocol 1 satisfies: 



p* 

1 A 



1 - H r 



P*B = 



Bl 

H r 



(A67) 



and Pa = I — Pb = l — H r , where A, B andH are defined 
in terms of Q by Eqs. 

The above result could be made more symmetric be- 
tween Alice and Bob, if we were to redefine A and B 
by 



A (new) 





|.r| 


even 




\x\ 


odd 


B x 


\x\ 


even 


Vb; 


|.r| 


odd 



(A68) 
(A69) 



which could be computed bottom- up by a sequence of lin- 
ear and root-mean-squared averages as in Ref. 0. The 
new definitions would also make the conserved quantities 
such as Eqs. (|A40IA57|) have the same expression at even 
and odd depths. However, the old definitions make man- 
ifest the convexity that was exploited in the main sec- 
tions of this paper, and therefore these definitions were 
selected. 



APPENDIX B: 0.192 REVISITED 

In this section we shall derive an analytical expression 
that corresponds to the bias of 0.192 found in Ref. 0]. 
Since the protocol with bias 0.192 has been superseded 
by the results of the present work, we shall only sketch 
the proof. Nonetheless, we hope that the techniques used 
in deriving this expression, which are rather different to 
the approach taken in the rest of the paper, will be of 
use in some future applications. 

The protocols that converged to a bias of 0.192 had 
Coin-Games such that Q x = a\ x \+\ for binary nodes. The 
pattern of zeros and ones on the leaves was such that, at 
each depth, the tree A x only had two values which we 
can call the high value and the low value. The high value 
only got updated at even depths whereas the low value 
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only got updated at odd depths. In particular, the value 
of the root node could be calculated using the following 
sequences: set H n = 1 and L n — and define 



same point Hq — Lq. To study the convergence point 
we can study H as a function of L, which satisfies the 
differential equation 



H k - y a k+1 L\ +1 + (1 - a k+1 )H^ +1 , 
for even k > 0, and 



Hk — Hk+i, 
Lk = a,k+iHk+i 



(1 — OA+l)ifc+l, 



(Bl) 
(B2) 



(B3) 
(B4) 



for odd k > 0. The value of A r is then given by Hq. 

The sequence is defined so that H decreases and L 
increases with decreasing k. At every step the condition 
1 > Hk > Lk > holds. For good choices of afc the two 
sequences will approach each other and Hq will be close 
to L . 

A good sequence of parameters will also have a k small 
for large k. For k small, a k can be larger as long as 
&k{Hk — Lk) remains small. In such a case, we can use 
the expansion 



Hi 



Hk 



fc+i — flfe+i 



it2 t1 



(B5) 



for even k. 

Furthermore, if a^- is slowly varying, we can replace it 
with a continuous function a(k), and the above compu- 
tation can be approximated by the coupled differential 
equations 



dH 
~dk 

dL 
dk 



a(k) H 2 - L 2 
a{k) 



2H 

(H-L), 



(B6) 
(B7) 



where now H and L are treated as functions of the con- 
tinuous variable k € [0, n]. An extra factor of 1/2 was 
picked up on the right hand side of the above equations 
because H and L only get updated every other integer in 
the discrete sequence. 

Of course, we are only concerned with the convergence 
point where H ~ L. In the limit n — > oo, and for ap- 
propriate a(k), the two expressions will converge to the 



dH _ H + L 
~dL ~ 2H ' 



(B8) 



Surprisingly, the function a(k) drops out of the above 
expression which means it only controls the rate of con- 
vergence but not the final point of convergence (assuming 
it satisfies the requirements discussed above). In essence, 
much the same behavior can be observed by choosing dif- 
ferent 7„ sequences for the protocol with bias 1 /6 found 
in the main section of this paper. 

The differential equation is invariant under simultane- 
ous rescaling of H and L, and therefore becomes separa- 
ble under the change of variables H — > H / L. Its solutions 
have the form 



log H 



2 . V7L 

— — arctan 

V7 4ff + 1 



const. 



(B9) 

The initial condition for the differential equation is 
H(L = 0) = 1, which corresponds to the initial start- 
ing point when k — » oo. Applying the initial condition 
we obtain const = 0. We are interested in the point 
where H and L converge, that is, the value Lq such that 
H{L ) = L : 



9 2 V7 
log 2Lq — ■= arctan . 



V7 



(B10) 



From this value we can obtain A r = Lq. When afc varies 
slowly enough and meets our other requirements we also 
get Pa = 1/2 and therefore = 2L§. These conditions 
also guarantee that Pg = P£, hence 



PX = P* B = Exp 



2 + V7 

= arctan 

V7 5 



~ 0.692181687, (Bll) 
which corresponds to the bias e ~ 0.192 from Ref. 0. 
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